Computer antivirus programs are commonly used to detect, clean, and remove computer viruses from infected objects such as data files. One form of detection typically used is scanning of objects resident on a hosting computer system's storage device(s). Objects are scanned for the presence of an embedded virus, and the scanning may be either signature-based or heuristic. After a virus has been detected in an object, responses typically involve cleaning or repairing the infected object (the object containing the virus), deleting the infected object, or quarantining the infected object to block further access.
In some instances, advanced cyber-attacks can infect target machines well before the attack is identified. In some instances, the duration of infection can extend for as long as a year. During this period the attackers perform internal reconnaissance, move latterly (infect additional machines), maintain presence, collect and possibly ex-filtrate data. During such an extended period of time, not only are different machines are infected but also backup images of the machines may be infected. For example, if malware installs itself in a master boot record (MBR) of a machine or in any specific binary, when the machine is backed up the backup images becomes infected. Accordingly, it may be difficulty to return to those images even if the malware was exterminated in the production machines.